Chainguard Is Racing To Fix Trust In Ai-built Software - Here's How

Rost-9D via iStock / Getty Images Plus

Follow ZDNET: Add america arsenic a preferred source on Google.

ZDNET's cardinal takeaways

• Chainguard targets open-core programs, GitHub Actions, and supplier skills. 
• The attack starts pinch its caller AI-powered Chainguard Factory 2.0.
• The institution is launching caller safety-first programmer services.

From nan shape of nan Chainguard Assemble 2026 arena successful Manhattan, programming information institution Chainguard Co‑Founder and CEO Dan Lorenc pulled up an assemblage personnel to saw a portion of wood pinch an old-fashioned handsaw. It did not spell well, but nan wood was trim eventually. Then, Lorenc pulled retired a mini powerfulness saw and trim nan aforesaid portion successful a fewer seconds. He past said, "It's difficult to make mistakes pinch manual devices because you're going slower, while [AI] powerfulness devices are a batch much fun, but they're besides a batch much dangerous. We suffer a batch much fingers." 

In short, we must study to usage powerfulness devices safely -- and that's what Chainguard is attempting to do. Lorenc framed nan infinitesimal arsenic an manufacture modulation from "hand woodworking" to powerfulness devices and past to afloat automated assembly lines, pinch AI agents driving overmuch of nan change. "In nan adjacent 12 months, nan mostly of codification is going to beryllium written by thing different and thing new," Lorenc said. The only measurement to support up pinch AI‑accelerated attackers is to automate distant nan accepted 30/60/90‑day spot rhythm and commencement from systems that are unafraid by design.

To execute that target, Chainguard has moved its methodology for automatically building operating strategy and exertion images from a brittle 1 to Chainguard Factory 2.0. Factory 2, nan institution suggested, has already removed much than 1.5 cardinal vulnerabilities from customer accumulation environments, up from 270,000 a twelvemonth ago, by continuously rebuilding and repatching its images and packages from source. 

Also: Why AI is some a curse and a blessing to open-source package - according to developers

Chainguard Factory 2.0 is simply a reconciling, AI‑driven pipeline that pushes nan company's catalog toward a desired state, whether that intends zero known Common Vulnerabilities and Exposures (CVEs), passing a peculiar QA suite, aliases gathering capacity aliases size constraints. 

To execute this state, Dustin Kirkland, Chainguard's SVP of engineering, explained successful an question and reply pinch ZDNET, "We invested early and often pinch aggregate different AI models, OpenAI, Claude, and Gemini." Early agents only succeeded "50–60%" of nan time, he noted, but nan misses became training data: "We could return nan exhaust -- nan things that didn't activity -- spell and hole that, and past provender that backmost into nan model. And things conscionable sewage better."

The turning point, said Kirkland, was nan company's Driftless agentic framework, which "really plumb[ed] nan reconciler exemplary straight into nan mill itself." He continued: "Here we get nan self‑healing mode… we determine what we want nan extremity authorities to be... and past nan reconciler will fundamentally conscionable tally successful a loop solving problems until it meets those criteria."

Also: AI is getting scary bully astatine uncovering hidden package bugs - moreover successful decades-old code

That mode is simply a batch amended than what Lorenc described arsenic a fragile, event‑driven Continuous Integration (CI) pipeline held together by "duct portion and baling wire" to a Kubernetes‑style reconciler shape wherever agents continuously nudge reality toward a target description. Thanks to agents search upstream releases, Chainguard tin show much than doubly arsenic galore packages arsenic before, securing and producing them successful acold little time. 

For developers who want to nutrient safe, useful programs, that caller attack intends Chainguard is offering much than half a twelve caller and improved services. 

Embracing self-service

At nan guidelines of this stack is Chainguard OS. Chainguard said this Linux distribution is "fully bootstrapped from source" and not a derivative of Debian, Fedora, aliases different mainstream foundational Linux distributions that lag down nan latest spot releases. Using Chainguard OS, companies tin now build their ain bug-free civilization Linux distributions, Kirkland said: "Customers tin build immoderate image they want from those packages… successful immoderate operation that they want." 

He framed nan displacement arsenic portion of a broader push toward developer self‑service: "Developers tin get nan package they request astatine nan velocity that they request it -- which is now."

Also: Is Perplexity's caller Computer a safer type of OpenClaw? How it works

Chainguard's instrumentality catalog remains its flagship product, and Product SVP Patrick Donahue highlighted that nan institution is now building much than 2,200 upstream projects into instrumentality images and maintaining complete 30,000 OS packages. Donahue said that this magnitude is "an bid of magnitude bigger than anybody else." 

To make its products much accessible, Chainguard introduced a free ChainGuard Catalog Starter tier. This tier gives users a prime of 5 free images. The tier is for developers who want to "give it a taste" and standard up later. Kirkland called this attack "leaning into developer self‑service," giving engineers "access to 5 images astatine nary charge" truthful they tin get going without talking to sales.

More strategically, nan institution is moving beyond open‑source images into what it calls Chainguard Commercial Builds. These are secure, Chainguard‑built images for commercialized and open‑core software, specified arsenic GitLab Enterprise, Elastic, aliases NGINX. Kirkland explained: "Increasingly, we've had customers who travel to america pinch either shared root models aliases commercialized open‑source models… 'How tin we usage Chainguard successful our proprietary builds?' And nan reply unequivocally is yes."

In these deals, Kirkland said Chainguard provides "the unafraid compiler and connection runtimes and each of those libraries that it takes to build that image," giving vendors a hardened, zero‑CVE‑SLA guidelines while allowing them to support their proprietary IP closed. He predicted this attack "will revolutionize a bunch of nan package retired location that is distributed, built connected apical of a Debian aliases Fedora aliases an Alpine by offering a safe, secure, hardened, zero CVE alternative."

On nan connection side, Chainguard secures upstream repositories specified arsenic PyPI, Maven Central, and npm, wherever Donahue said much than 450,000 caller malicious packages were observed crossed awesome registries successful 2025. That's almost 1 per minute, if you're counting. 

Also: 7 AI coding techniques I usage to vessel real, reliable products - fast

The institution now claims astir 96% sum of Python dependencies, complete a cardinal Java artifact versions, and astir 90% of nan apical 500 npm limitations by download volume, pinch mill automation pointed astatine Java and JavaScript aft Python. Given that galore celebrated open-source repositories person been poisoned pinch malicious code, it's precocious clip personification provided clean, unafraid programs.  

To make depletion easier, Chainguard has launched nan Chainguard Repository, its ain artifact repository fronting those curated libraries. Instead of configuring each developer to autumn backmost straight to upstream registries, customers tin constituent CI and AI coding agents astatine nan Chainguard Repository and enforce policies specified arsenic licence allow‑lists aliases a "cool‑down period" that blocks brand‑new libraries for a configurable number of days, allowing clip for malware to beryllium detected.

For customers pinch dense usage aliases constrained bandwidth, Kirkland emphasized that Chainguard will "continue to activity pinch Artifactory and Cloudsmith and others and people into those artifact registries," and that these repositories tin beryllium mirrored in‑house to debar hammering nationalist services. That capacity besides reduces nan load connected struggling open‑source mirrors that "literally cannot spend nan bandwidth quotas." 

Security and skills

Recognizing that CI systems are now among nan astir delicate parts of nan package proviso chain, Chainguard unveiled 2 caller merchandise families: Chainguard Actions and Chainguard Agent Skills.

Lorenc took nonstop purpose astatine GitHub Actions' information model, pointing retired really difficult it is for moreover diligent teams to verify that a marketplace action is trustworthy aliases correctly scoped. He cited examples wherever actions pulled distant scripts aliases binaries astatine runtime, aliases contained shell‑injection risks that could leak tokens successful analyzable pipelines, patterns reminiscent of real‑world attacks for illustration nan GitHub‑hosted HackerBot/Flaw campaigns.

Chainguard Actions are "secured by default, drop‑in replacements of upstream GitHub Actions," built and continuously hardened successful nan factory, pinch tests auto‑generated to guarantee that information fixes don't break behavior. To adopt them, Lorenc said, customers tin "replace [the upstream org] pinch chainguard‑dev" successful their workflows and past usage a azygous GitHub mounting to restrict usage to Chainguard's curated set.

Also: I sewage 4 years of merchandise improvement done successful 4 days for $200, and I'm still stunned

Kirkland suggested akin problems are emerging successful nan fast‑moving world of AI agent skills. These markdown bundles encode devices and champion practices for AI agents. Kirkland loves supplier skills. The infinitesimal AI became portion of his "day‑to‑day workflow" was erstwhile he could inquire Claude "to encapsulate this group of champion practices… things that I want my teams and my developers and my managers and our engineers to do. Encapsulate that arsenic a skill, and past provender that accomplishment into nan supplier and say, this is nan correct measurement to do things." That's nan bully broadside of agents. The bad is that each excessively often, AI supplier skills, for illustration those shared successful Moltbook, are filled pinch malicious capabilities.

To combat this issue, Kirkland explained that Chainguard has encapsulated "a mates of hundred" of these skills and is now making a curated, hardened subset disposable to customers arsenic Chainguard Agent Skills, truthful teams tin plug nan capabilities straight into package build and reappraisal processes without worrying that a compromised accomplishment mightiness present vulnerabilities aliases exfiltrate data: "That's what we're insulating our customers against." 

Perhaps nan astir eager announcement was Chainguard Gardener. This GitHub app brings pieces of Chainguard's mill into customer repositories. Once installed, Gardener scans selected repos for Dockerfiles, room dependencies, AI skills, and different artifacts that could beryllium replaced pinch Chainguard‑secured equivalents, past automatically opens propulsion requests to migrate, update tests, and support limitations current.

Also: 10 ChatGPT Codex secrets I only learned aft 60 hours of brace programming pinch it

"The Gardener tin perpetually look done immoderate of nan repositories you determine to hook it up to," Kirkland explained. "It tin place artifacts that could beryllium secured utilizing Chainguard artifacts. So it tin look astatine Dockerfiles and find images that could beryllium Chainguard. It'll look astatine libraries that applications are utilizing that could beryllium Chainguard… [and] nan skills and nan agents that could beryllium Chainguard." The idea, he said, is to springiness customers "a really bully flywheel," Chainguard's ain champion practices, continuously applied wrong their package improvement life cycle.

Looking ahead, some Lorenc and Kirkland said they spot nan developer domiciled itself changing rapidly. "The early of package improvement is… changing correct earlier our eyes," Kirkland said, arguing that nan caller products together connection "everything that an endeavor aliases a developer needs to thrust that activity to push things further, faster, much secure." Lorenc was moreover blunter: "This was nan champion clip successful history to beryllium penning software, but it's besides nan worst time… The bottleneck isn't codification anymore. It's establishing trust." He's not wrong.